iPad Pro w/ Magic KB, Surface Go 2, or $350 Off with OnDemand Training - Register Now

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #86

October 28, 2016


Senator Seeks Answers to IoT Security Issues Following Botnet Attack
FCC Approves New Internet Data Privacy Rules


Adobe Releases Out of Cycle Fix for Critical Flash Player Flaw
Schneider Electric Fixes Unity PRO Vulnerability
PayPal Fixes Two-Factor Authentication Bypass Flaw
Two of Three LibTIFF Flaws Patched
ISPs Could Help Secure Existing IoT Devices
Microsoft Extends Office 2016 Macro Security Feature to Office 2013
US Director of National Intelligence: It's Time to Separate Cyber Command from NSA
OMB Releases Draft Guidelines for Federal IT Modernization
National Cyber Incident Response Plan
Environment-Specific Security for Law Enforcement Vehicle Laptops
Mozilla Distrusting New WoSign and StartCom Certificates



*********************** Sponsored By Sophos Inc. ************************

The Next thing in Next-Gen: Sophos XG Firewall brings a fresh new approach to the way you manage your firewall, respond to threats, and monitor whatx92's happening on your network. Get ready for a whole new level of simplicity, security and insight. Learn more: http://www.sans.org/info/189492



--Healthcare Cybersecurity Summit & Training | November 14-21, 2016 | Houston, TX |

--SANS London 2016 | November 12-21, 2016 | London, UK |

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC |

--SANS Amsterdam 2016 | December 12-17, 2016 | Amsterdam, Netherlands |

--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA |

--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 |

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV |

--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 |

--SANS Southern California - Anaheim 2017 | February 6-11, 2017 | Anaheim, CA |

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan |

--SANS Secure Singapore 2017 | March 13-25, 2017 | Singapore, Singapore |



Senator Seeks Answers to IoT Security Issues Following Botnet Attack (October 25, 2016)

US Senator Mark Warner (D-Virginia) has asked the Federal Communications Commission (FCC), Federal Trade Commission (FTC), and the Department of Homeland Security's (DHS) National Cybersecurity & Communications Integration Center (NCCIC) for responses and solutions to the threat of unsecured Internet of Things (IoT) devices, like those that were used in the distributed denial-of-service (DDoS) attack on Dyn. Warner asked questions regarding the role of ISPs in responding to DDoS threats; possible strategies for removing vulnerable devices from the commerce stream; and establishing metrics for consumers so they understand the security implications of the devices they are purchasing.

[Editor Comments ]

[Pescatore ]
The good news is that Senator Warner's letter asks some very meaningful questions aimed at why the ISPs and the FCC (and other government agencies) aren't doing more to drive consumer devices and services to basic levels of security. The bad news is the FCC and the ISPs, since 2011, have pretty much substituted numerous reports from the FCC/ISP Communications Security, Reliability and Interoperability Council for any actual action. In early 2014, I briefed the President's National Security Telecommunications Advisory Committee (NSTAC) on IoT, basic security hygiene and the importance of ISPs and mobile carriers and they came out with a report in late 2014 that essentially recommended more reports. Senator Warner - please, please require some simple actions, not more reports!

[Ullrich ]
ISPs for the most part are not causing or contributing to DDoS attacks, but carry most of the cost because they need to respond to keep customer connections working. In this case, the manufacturer was negligent in shipping products with a trivial-to-exploit vulnerability. Just like with other dangerous products, a coordinated recall would be an appropriate response (Xiongmai announced one, but it isn't clear how it will work).

[Murray ]
Trivial devices cannot be permitted to become the Achilles Heel of the public infrastructure. Appliances should do what, and only what, is absolutely required by their intended purpose; an easy "standard" to understand. If appliances must have exploitable general purpose functionality, then it must be controlled using asymmetric key cryptography, not by fixed, or even user chosen, passwords. If rogue hackers can discover them and incorporate them into bot-nets, then we must have the authority and capability to discover and eliminate them. This is urgent; the longer we tolerate this problem, the more difficult it will be to address.

[Henry ]
The senator is asking the proper questions. There are two issues I've got concern over. First, while I'm not a fan of excessive regulation, there needs to be a coordinated effort within the government to look at this. I've spent enough time in government to know that a letter from a senator, sent to three separate government agencies, will result in all those agencies spinning up a machine to respond and begin to develop mitigation strategies. This issue is significant, and require collaboration between agencies to assess the problem and define areas of responsibility, to best protect the infrastructure and the consumer. Secondly, the issue of ISPs playing a role in responding to DDoS has been in play for many years. I think it needs to be revisitied. Typical Terms of Service already authorize ISPs to disconnect consumers who violate their terms, and having insecure devices could likely be considered a violation of most TOS. Most regions of our country have a requirement that automobiles have an annual safety inspection to ensure they're not a hazard to other motorists; the government has the right to prevent unsafe vehicles from riding on the roadways. ISPs can be a part of the DDoS solution if effective policy is instituted and executed, in support of both infrastructure protection and the best interests of consumers.

Read more in:

KrebsOnSecurity: Senator Prods Federal Agencies on IoT Mess

Senator Warner's Letter: Sen. Mark Warner Probes Friday's Crippling Cyber Attack

FCC Approves New Internet Data Privacy Rules (October 27, 2016)

The US Federal Communications Commission (FCC) has approved new rules aimed at protecting sensitive consumer data. The rules require broadband providers, including Verizon, Comcast, and AT&T, to obtain customers' permission before sharing data the FCC has deemed to be sensitive. These data include precise geo-location; financial information; health information; children's information; web browsing and app usage histories; and contents of communications. ISPs also must be clear about what information they collect and with whom they share it.

[Editor Comments ]

[Northcutt ]
Sounds good, but the proof is in the implementation. My iPhone wants to update all the time. How can I check the user agreement every time? For this to work, the big three providers need to create a common interface marked PRIVATE or SHARED, for each question. It cannot be application dependent; it needs to be global. And there should be some authentication proof to keep an underage user from breaching the privacy so they can play Nintendo or some such.

Read more in:

Christian Science Monitor: Privacy push: FCC ruling means users must ‘opt in’ to let data be sold

The Hill: FCC approves new privacy rules for ‘sensitive’ internet data

ZDNet: FCC imposes new consumer privacy rules on IPSs

Washington Post: The FCC just passed sweeping new rules to protect your online privacy

FCC: FCC Adopts Privacy Rules to Gove broadband Consumers Increased Choice, Transparency, and Security for Their Personal Data (PDF)

*************************** SPONSORED LINKS *****************************

1) Hear from security pioneers who are upgrading to NGAV and want to share their experiences. Learn More: http://www.sans.org/info/189497

2) Find out what you need to know about protecting physical assets in your OT environmen. Register: http://www.sans.org/info/189502

3) Looking for a solution to your security issue? Visit the SANS Affiliate Directory for a list of vendors who may be able to help! http://www.sans.org/info/189507



Adobe Releases Out of Cycle Fix for Critical Flash Player Flaw (October 26, 2016)

Adobe has released an emergency fix for a critical use-after-free vulnerability in Flash Player that is being actively exploited. The issue affects most versions of Flash, including those for Windows, OS X, Linux, and Chrome OS. Users are advised to update as soon as possible. Those using Google's Chrome browser will get the update automatically, and those using Microsoft Edge and more recent versions of Internet Explorer (IE 11 and later) will get the fix directly from Microsoft.

[Editor Comments ]

[Liston ]
: I would like to personally thank Adobe for helping me pay off my house and put my kids through college - without the mindbogglingly numerous flaws in Flash and Acrobat, the Internet would be a different (and safer) place and I would probably have had much less to do over the past 10 years.

Read more in:

Dark Reading: Adobe Rushes Out Emergency Patch For Critical Flash Player Vulnerability

The Register: Adobe emits emergency patch for Flash hole malware is exploiting right this minute

V3: Emergency fix issued for Flash zero-day

Schneider Electric Fixes Unity PRO Vulnerability (October 27, 2016)

Schneider Electric has fixed a flaw in its Unity PRO industrial controller management software that could be exploited to allow arbitrary code execution. The issue affects all versions of Unity PRO prior to v 11.1. Schneider Electric has notified its customers. Indegy, the organization that initially detected the flaw and notified Schneider, has also posted an advisory.

Read more in:

The Register: Schneider Electric plugs gaping hole in industrial control kit

Schneider Electric: Security Notification - Unity Simulator

Indegy: New SCADA Vulnerability Enables Remote Control of ICS Networks

PayPal Fixes Two-Factor Authentication Bypass Flaw (October 27, 2016)

PayPal has fixed a security issue that allowed attackers to bypass its two-factor authentication process. By using a proxy server to intercept PayPal server requests, an attacker could alter HTTP data, making it appear that a security question had been correctly answered. PayPal was notified of the flaw on October 3 and fixed it three days later.

[Editor Comments ]

[Liston ]
: There are two areas where you should never "roll your own": two factor authentication and encryption. Why? Because your developers are not as smart as they think they are in those areas. Pay the money for a third party implementation and be happy that you did.

Read more in:

Softpedia: UK Researchers Finds Stupid, Simple Method to Bypass PayPal 2FA

The Register: PayPal patches bone-headed two factor authentication bypass

BBC: PayPal fixes 'worrying' security bug

Two of Three LibTIFF Flaws Patched (October 27, 2016)

In a blog post, Cisco's Talos Group describes three vulnerabilities in LibTIFF library that could be exploited to allow remote code execution. The flaws are: an exploitable heap based buffer overflow affecting the LibTIFF TIFF2PDF conversion tool; an issue with parsing and handling TIFF images; and an exploitable heap based buffer overflow in the handling of compressed TIFF images in LibTIFF's PixarLogDecode API. Patches for the two heap based buffer overflow flaws are available from the LibTIFF GitHub repository; there is currently no patch available for the parsing issue.

Read more in:

Talos: Vulnerability Spotlight: LibTIFF Issues Lead to Code Execution

ZDNet: LibTIFF library security flaws lead to remote code execution

The Register: Three LibTIFF bugs found, only two patched

ISPs Could Help Secure Existing IoT Devices (October 27, 2016)

Attacks will continue as long as a large number of vulnerable devices are connected to the Internet, or until the devices are secured. The best way to reduce the number of vulnerable IoT devices is to ensure that they are secure before they are made available to consumers. But how can the vulnerable devices already in use be secured? Internet service providers could help "by blocking or filtering malicious traffic driven by malware in known patterns." ISPs could also notify customers if devices on their networks are sending or receiving malicious traffic.

[Editor Comments ]

[Ullrich ]
ISPs already do a lot of this. With many ISPs, you are no longer able to connect to the Mirai botnet controllers, for example; and botnet traffic significantly dropped after ISPs took these measures. ISPs are stuck with the short end of the stick cleaning up what IoT manufacturers broke. But keep in mind that all these mitigation techniques cost money and are going to be passed on to the consumer. Your $50 security camera may be a lot more expensive then you realize.

[Pescatore ]
See the previous item on Senator Warner's letter to the FCC. ISPs and mobile carriers can and should do much, much more to drive basic security hygiene for all Internet connected devices.

[Shpantzer ]
ISPs should be proactive and figure out what can be done voluntarily, before DC decides to help out in possibly unhelpful ways. ISPs are a natural target for regulation here, as securing devices globally is much more of a futile effort compared to making their obviously bad traffic be less harmful to the infrastructure. Ironically, ISPs themselves are sometimes victims of DDoS, and they offer clean pipe and DDoS mitigation services for a premium.

Read more in:

Wired: Internet Providers Could be the Key to Securing All the IoT Devices Already There

Microsoft Extends Office 2016 Macro Security Feature to Office 2013 (October 27, 2016)

Microsoft has extended a security feature in Office 2016 to Office 2013 to protect users from malicious macros, which have recently been used to spread malware. The feature was introduced in Group Policy for Office 2016; it allows admins to selectively block macros from loading in questionable situations. Users have been able to disable macros by default since Office 97.

[Editor Comments ]

[Murray ]
Escape mechanisms have been recognized as a vulnerability since before the All Souls Worm (the anniversary of which we recognize this week.) They are more difficult to deal with today because they are often buried far down in the stack.

[Shpantzer ]
Ask around the office, maybe with surveymonkey, who uses macros in Word or Excel. Your macro policies are likely less restrictive than necessary in many parts of the org where they serve no purpose except to call powershell and bypass application whitelisting.

ZDNet: Microsoft Office malware: Now more users get anti-hacker, macro-blocking features

US Director of National Intelligence: It's Time to Separate Cyber Command from NSA (October 25, 2016)

US Director of National Intelligence James Clapper says that the US Cyber Command should separate from the National Security Agency (NSA). All 113 Cyber Command teams have now reached initial operating capability. When Cyber Command was established in 2009, it was under the command of the NSA director. Others say that Cyber Command should remain under the command of the NSA director.

[Editor Comments ]

[Pescatore ]
Offense informing defense is a good thing. But combining both in one enormous organization does not increase information flow between the two sides and creates a conflict of interest and purpose that (at the national level at least) has resulted in the focus on increasing security and safety taking a back seat to offensive operations.

Read more in:

Federal News Radio: Cyber Command's teams reach initial operating capability; Clapper says it's time to separate them from NSA

OMB Releases Draft Guidelines for Federal IT Modernization (October 27, 2016)

The US Office of Management and Budget (OMB) has published draft guidelines for agencies to help them with the process of modernizing legacy federal IT systems. In a blog post, Federal CIO Tony Scott describes the four phases of IT system modernization: development of updated Enterprise Roadmaps; identification and prioritization of systems; development of modernization profiles for high-priority systems; and execution. The guidelines have a 30-day comment period.

[Editor Comments ]

[Pescatore ]
"Modernization" or any major IT transition presents optimal opportunities for making major advances in security, but just upgrading or replacing legacy systems does *not* automatically increase security. Badly configured and managed modern systems will largely be just as easy to breach as badly configured and managed legacy systems. So, there is a good opportunity to re-emphasize two critical areas for any projects that get the "Modernization Approved" stamp: (1) More focus on "buy secure" in federal procurements; and (2) Prioritization of basic security hygiene requirements in all build and deploy plans.

Read more in:

Federal News Radio: OMB reveals proposed guidelines on federal IT modernization

FCW: OMB floats new rules of the road for IT modernization

Office of the Federal CIO: Information Technology Modernization Initiative (Draft)

White House Blog: Laying the Foundation for a More Secure, Modern Government

National Cyber Incident Response Plan (October 26, 2016)

US Presidential Policy Directive 41 (PPD-41) calls for the National Cyber Incident Response Plan, originally drafted in 2010, to be updated. The revision is scheduled to be complete in January 2017. While the revised plan enumerates principles, roles, and responsibilities during a significant cyber incident, it is unclear about the circumstances that would bring the plan into action.

Read more in:

FCW: Finalizing cyber response plan might be easier than deciding when to use it

Environment-Specific Security for Law Enforcement Vehicle Laptops (October 27, 2016)

The US National Institute of Standards and Technology (NIST) is seeking to develop a sign-on solution for law enforcement vehicle laptops systems that will help law enforcement officers to access information quickly while performing their duties. NIST is accepting comment on the document, Authentication for Law Enforcement Vehicle Systems, through November 10, 2016.

Read more in:

GCN: Simpler sign-on for police officers

NIST: Authentication for Law Enforcement Vehicle Systems

Mozilla Distrusting New WoSign and StartCom Certificates(October 24, 2016)

Mozilla has begin distrusting WoSign and StartCom certificates with a notBefore date after October 21, 2016 that chain to certain roots. The decision was made after the discovery that WoSign had been backdating SSL certificates to circumvent the January 1, 2016 deadline for certificate authorities (CAs) to stop issuing SHA-1 SSL certificates. WoSign was also found to have acquired another CA, StartCom, without disclosing the transaction. Mozilla has also stopped accepting audit results from Ernst & Young Hong Kong.

[Editor Comments ]

[Ullrich ]
This is a big deal for users of StartSSL. StartSSL, a certificate authority based in Israel is known for issuing free certificates that are well recognized by different browsers. Many smaller sites use them. Wosign, the certificate authority at the center of this issue purchased StartSSL and many of the irregularities that Wosign got accused of also affect StartSSL and Mozilla is distrusting them too. Luckily, certificates issues before October 21st will remain valid. But you need to stop using either CA now. Your best free option right now is to go with Letsencrypt. But this will require a retooling of some of your certificate request processes. Letsencrypt certificates are only valid for 90 days at a time and they heavily rely on scripts to automatically renew them.

Read more in:

Mozilla Blog: Distrusting New WoSign and StartCom Certificates

ZDNet: Mozilla slaps ban on China's WoSign: Firefox Firefox drops trust for certs over 'deception'


Joomla Fixes Two Critical Vulnerablities;

Letsencrypt Domain Verification Problem

New Locky Variants: Pumpkin Locky

Pagers still in use for Critical Infrastructure

Adobe Releases Emergency Patch For Flash

Mobile Pwn2Own Writeup

Mozilla Will Stick With Blacklisting Startcom/WoSign

Joomla Exploit Released

Google Spreadsheet Vulnerability

Small Changes to Ransomware E-Mails May Fool Some Mail Filters

Microsoft / Google Release Browser Updates to Address Flash Vulnerablity

Social Media "Support" Phishing

Path Traversal Vulnerablity in gnu tar

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create